Organizations fail to address top cyber vulnerabilities, report says

In a report released today, security experts describe something alarming: it seems governmental and commercial organizations are failing to protect themselves effectively in the areas where they are the most vulnerable.

For this study, network security provider firm TippingPoint, vulnerability tester Qualys, members of the SANS Institute and other researchers analyzed data from thousands of computers between March and August this year. During that period, they compared the most common attacks at military organizations, governmental entities, manufacturers, hospitals, colleges and financial institutions with the most common patched and unpatched vulnerabilities.

The study confirmed what the cybersecurity community has warned us about for some time now: the fastest growing area of potential exploitation lies within client-side web applications. That is to say, malicious software that piggybacks on files like Microsoft Office documents, Adobe PDFs, Flash animations, or QuickTime videos and corrupts computer systems when a victim unwittingly downloads them.

The researchers concluded that criminals are mostly using spear phishing schemes (in which they profile specific victims and often design socially engineered e-mails to trick them into downloading a corrupted file) or turning trusted but insecure Web sites into vehicles for malicious content.

Criminals are taking full advantage of these holes, but the study found that organizations are patching client-side vulnerabilities three to five times slower than operating system vulnerabilities, SANS Institute research director Alan Paller said. What’s more, security scans often fail to check for these weaknesses.

“For the first time we know where the bad guys are attacking and oh darn, those are not the areas we’re protecting,” he said.

Paller said this discrepancy might be the result of companies not reporting breaches for fear of losing customers’ confidence or, in the case of governmental entities, for national security reasons.

Rob Lee, director of computer forensics firm Mandiant, said he believed organizations were also stuck fighting an old battle.

“The message has not gotten across and they’re still celebrating the successes of patching operating system vulnerabilities,” Lee said. “They’re measuring themselves against metrics from five or ten years ago and finding out they’re doing great.”

The researchers believe that some recent security breaches were the result of the criminal strategies they detailed. Scammers, for instance, tricked the New York Times last weekend into posting an ad for a fake anti virus on their Web site. In April, computer spies managed to steal several terabytes of data related to an expensive Department of Defense fighter jet project.

The researchers hope more attention are resources will be allocated to addressing these vulnerabilities from now on.

“If security guys are not fixing this, it’s time to get new security guys,” Paller said.